265927 2023-12-05 21:24:47 -0800 Crash in JSC::Wasm::SectionParser::parseTableHelper ( this=this@entry=0x7fffffffdae0, isImport=144) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:329 2024-01-30 11:31:45 -0800 1 1 1 Unclassified WebKit WebAssembly WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 247394 1 xiangwei1895 asumu asumu justin_michaud keith_miller mark.lam webkit-bug-importer oldest_to_newest 1997310 0 xiangwei1895 2023-12-05 21:24:47 -0800 ## JavaScriptCore Version 4425cc9b8d966cab3215732b6ae7449d51c713eb ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,150,128,128,128,0,2,64,0,112,1,1,25,208,112,11,64,0,107,106,1,0,0,65,0,251,32,11,5,132,128,128,128,0,1,1,16,32,13,133,128,128,128,0,2,0,3,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,138,128,128,128,0,1,8,0,65,203,144,170,207,1,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js ## Output Aborted (core dumped) ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737258203072) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737258203072) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737258203072, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff24c9476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff24af7f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff51b32ea in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:778 #6 0x00007ffff7769fa2 in JSC::Wasm::SectionParser::parseTableHelper ( this=this@entry=0x7fffffffdae0, isImport=144) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:329 #7 0x00007ffff776ec1d in JSC::Wasm::SectionParser::parseTable ( this=0x7fffffffdae0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:345 #8 0x00007ffff77a1cc5 in JSC::Wasm::StreamingParser::parseSectionPayload ( this=this@entry=0x7fffe8061480, data=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:197 #9 0x00007ffff77a2f80 in JSC::Wasm::StreamingParser::addBytes ( this=0x7fffe8061480, bytes=0x7fffe800b1a0 "", bytesSize=140, isEndOfStream=<optimized out>) --Type <RET> for more, q to quit, c to continue without paging-- smStreamingParser.cpp:342 #10 0x00007ffff7516f43 in JSC::Wasm::StreamingParser::addBytes (this=0x7fffe8061480, bytes=0x7fffe800b1a0 "", length=140) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.h:81 #11 JSC::Wasm::EntryPlan::parseAndValidateModule (this=0x7fffe8061400, source=0x7fffe800b1a0 "", sourceLength=140) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:91 #12 0x00007ffff764e3fa in JSC::Wasm::LLIntPlan::LLIntPlan(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, JSC::Wasm::CompilerMode, WTF::RefPtr<WTF::SharedTask<void (JSC::Wasm::Plan&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) (this=0x7fffe8061400, vm=..., source=..., compilerMode=<optimized out>, task=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:49 #13 0x00007ffff76597ee in JSC::Wasm::Module::validateSync (vm=..., source=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:98 1997478 1 webkit-bug-importer 2023-12-06 12:54:31 -0800 <rdar://problem/119270769> 2008050 2 asumu 2024-01-26 15:28:05 -0800 Pull request: https://github.com/WebKit/WebKit/pull/23331 2009038 3 ews-feeder 2024-01-30 11:31:37 -0800 Committed 273774@main (8d40b312efa8): <https://commits.webkit.org/273774@main> Reviewed commits have been landed. Closing PR #23331 and removing active labels.